SmartScreen® Application Reputation – Building Reputation

With the Internet Explorer 9 (IE9) beta in September we introduced
IE9's new application reputation feature and more recently we provided a
summary of how this fits into the overall
layered approach to security. With the final release of IE9 now available,
we want to share some additional information about application reputation, clarify
how code signing impacts the IE experience, and reiterate industry best practices
that application developers should consider.

SmartScreen Application Reputation is a consumer focused safety feature that helps
consumers make better decisions about the programs they download. Downloads are
automatically assigned a reputation rating based on multiple algorithms that consider
many objective criteria, such as antivirus results, download traffic, download history,
and URL reputation. If a user opts into enabling the SmartScreen Filter, application
downloads without established reputation result in a notification (see below) warning them that the file may be a risk to their computer.

From this notification, users can choose to delete the file or ignore the warning and run the downloaded
program. For the typical user, the risk of running the download is a 25% to 40% chance
of malware infection. We've been building reputation for some time now and approximately
90% of all application downloads have established reputation by hash or digital
certificate. For the typical user, this notification is an infrequent experience
associated with higher risk of malware infection. To put the scale of this risk
in perspective, approximately 7% of all executable files downloaded by Internet
Explorer are later confirmed as malicious. A portion of these attacks are prevented
by blocklist solutions such as SmartScreen URL reputation or antivirus products.
Unfortunately, no blocklist-based solution is 100% effective at preventing these
attacks. Since Application Reputation was enabled in the IE9 beta release, the feature
has greatly reduced infection rates from attacks that were not otherwise detected
at the time of download.

Unsigned Download – IE9 Application Reputation Notification

Signed Download – IE9 Application Reputation Notification

How programs are identified in IE9

A download’s Application Reputation is assigned by:

a hash of the downloaded file

the digital certificate used to sign the file (if signed)

The file hash is an exact identifier for the specific file downloaded. If any part
of the application changes, the program identity (file hash) will also change. An
unsigned application that is updated regularly (e.g. unsigned daily builds) will
appear as multiple distinct programs that will have to build reputation individually.

Reputation is also generated for digitally signed downloads based on the digital
certificate used to sign the file. Digital certificates allow reputation to be assigned
to a single identity (digital certificate) across multiple files. If you are not
signing your programs, reputation will be built independently for each file you
distribute. In contrast, signed programs may inherit the reputation of your digital
certificate.

Why Sign Your Code?

For developers distributing applications online, signing your code is not required to establish reputation, but it is highly recommended.
Code signing is an industry best practice that allows consumers to authenticate
that files signed by a publisher are actually from that publisher. Signing also
helps ensure that files cannot be secretly tampered with while stored on a server
or during the download process. Without a digital signature, there is no way for
a user to validate who actually created the file. This threat is commonly exploited
by malware authors in their social engineering attacks.

Of course, the presence of a digital signature alone does not ensure a download
is non-malicious. Digitally signing your application is not a guarantee that your
download will have established reputation immediately, but can play an important
part in ensuring that your applications receive the reputation they deserve.

Note that even if SmartScreen® Filter is disabled, users will be warned before unsigned
applications are run:

Internet Explorer 9 – Unsigned File Notification

Best Practices for Application Developers

There are several industry best practices an application developer can follow to
help establish and maintain reputation for your applications:

Digitally sign your programs with an Authenticode signature.

Obtain a valid Authenticode code signing certificate from one of the many certificate
authorities (CAs) supported by Windows.

Use development tools (such as
signtool.exe) to sign your applications prior to distribution.

Ensure downloads are not detected as malware. Downloaded programs that are detected and confirmed as malware
will affect both the download’s reputation and the reputation of the digital certificate
used to sign that file.